CVE-2023-39943
Published: 04 February 2025
Description
In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of user-supplied data when parsing XE files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
Security Summary
CVE-2023-39943 is a vulnerability in Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), where the application fails to properly validate user-supplied data during XE file parsing. This flaw, classified under CWE-787 (Out-of-bounds Write), can result in an out-of-bounds write condition. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A local attacker can exploit this vulnerability by crafting a malicious XE file and tricking a user into opening it within the affected application, requiring no privileges (PR:N) and low complexity (AC:L), though user interaction is necessary (UI:R). Successful exploitation enables arbitrary code execution in the context of the current process, granting the attacker high levels of control over confidentiality, integrity, and availability.
Mitigation guidance is available in the CISA ICS Advisory ICSA-23-299-03, accessible at https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-03.
Details
- CWE(s)